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ABSTRACT: 

In accordance with a first aspect of the present invention, a security sensitive program that 
operates with a secret is made tamper resistant t>y distributing the secret in space as well as in 
time. In accordance with a second aspect of the present invention, a security sensitive program is 
made tamper resistant by obfuscating the program. In accordance with a third aspect of the 
present invention, a security sensitive application is made tamper resistant by isolating its security 
sensitive functions, and making the isolated security sensitive functions tamper resistant by 
distributing the secrets of the security sensitive functions in time as well as in space, and/or 
obfuscating the security sensitive functions. In one embodiment where obfuscation is employed, 
the pseudo-randomly selected pattern(s) of mutations is (are) unique for each installation. In 
accordance with a fourth aspect of the present invention, a security sensitive system with security 
sensitive applications is made further tamper resistant by deploying an interlocking trust 
mechanism. In accordance with a fifth aspect of the present invention, a content industry 
association, in conjunction with content manufacturers, content reader manufacturers, and 
content player manufacturers of the industry jointiy implement a coordinated 
encryption/decryption scheme, with the player apparatus manufactured by the content player 
manufacturers employing playing software that include tamper resistant decryption functions. 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




PCX 

INTHINATIONAL APPLICATION PUBUSHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) InternaUonal Patent Classification ^ : 
H04K ITDO 



Al 



(11) IntNnational Publication Number: WO 97/48203 

(43) International Publication Date: 18 December 1997 (18 J 2.97) 



(21) International AppHcaUon Number: PCT/US97/ 10359 

(22) International Filing Date: 1 2 June 1 997 ( 1 2.06.97) 



(30) Priority Data: 
08/662.679 



13 June 1996(13.06.96) 



US 



(71) Applicant: INTEL CORPORATION [US/US]; 2200 Mission 

College Boulevard. Santa Qara. CA 950S2 (US). 

(72) Inventors: AUCSMITH. David; 6995 S.W. Uber Road, 

Portland. OR 97225 (US). GRAUNICE. (jaiy; 12120 S.W. 
Trail Place. Beavcrton, OR 97008 (US). 

(74) Agents: TAYLOR. Edwin, H. et al.; Blakely. Sokoloff, Taylor 
& Zafman LLP, 7th floor. 12400 Wilshirt Boulevard. Los 
Angeles. CA 90025 (US). 



(81) Designated States: AL. AM. AT. AT (Utility model). AU 
(Petty patent). AZ. BA. BB, BG. BR, BY. CA, CH, CN. CU. 
CZ. CZ (Utility model), DE. DE (Utility model). DK. DK 
(Utility model). EE, EE (Utility model). ES. FI, FI (Utility 
model). GB. GE. GH, HU, IL. IS. JP, KE, KG. KP. KR. 
ICZ. LC. LK. LR. LS, LT, LU. LV, MD, MG, MK, MN, 
MW, MX. NO. NZ. PL. PT, RO, RU. SD, SE. SO, SI, SK. 
SK (Utility model). TJ. TM. TR. TT. UA. UG. UZ, VN. 
YU. ZW, ARIPO patent (GH. KE. LS. MW. SD. SZ. UG. 
ZW), Eurasian patent (AM. AZ. BY. KG. KZ, MD. RU. TJ, 
TM). European patent (AT. BE. CH, DE. DK. ES. FI. PR. 
GB. GR. IE. IT. LU. MC, NL, PT. SE). OAPl patent (BF. 
BJ. CF. CG. CI, CM. GA, GN. ML. MR. NE. SN. TD. TG), 



Published 

With international search report. 

Before the expiration of the time limit for amending the 
claims and to be republished in the event of the receipt of 
amendments. 



(54) Title: TAMPER RESISTANT METOODS AND APPARATUS 

(57) Abstract 

In accordance with a first aspect of the present invention, 
a security sensitive program (100) that operates with a secret 
(101) is made tamper resistant by distributing the secret in 
space as well as in time, in accordance with a second aspect 
of the present invention, a security sensitive program is made 
tamper resistant by obfuscating the progxam. In accoftiance 
with a third aspect of the present invention, a security sensitive 
api^ication is made tamper resistant by isotadng its security 
sensitive functions, and making the iscriated security sensitive 
functions tamper resistant by distributing the secrets of the 
security sensitive functions in time as well as in space, 
and/or obfuscating the security sensitive functions, bi one 
embodiment where obfuscation is employed, the pseudo- 
randomly selected patteni(s) of mutations is (are) unique for 
each installation. In acccmlance with a fouxth aspect of the 
present invention, a security sensitive system with security 
sensitive applications is made further tamper resistant by 
deploying an interiocking trust mechanism. In acccHidance 
with a fifth aspect of the present invention, a content industry 
association, in conjunction with content manufacturers, content 
reader manufacturers, and content player manufacturers of the 
industry jointly implement a coordinated encryption/deciyption 
scheme, with the player apparams manufactured by the content 
player manufacturers employing playing software that include 
tamper resistant decryption functions. 
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Tamper Resistan t Methods And Apparatus 

R ^rXfiROUND OF THE INVENTION 

5 1. pjQl^i of the Invention 

The present invention relates to the field of system security. More 
specif icaliy. the present invention relates to the tamper resistant methods and 
apparatus. 

10 

2. packaround Infomiation 

Many applications, e.g. financial transactions, unattended authorizations 
and content management, require the basic integrity of their operations to be 

15 assumed, or at least verified. While a number of security approaches such as 

encryption and decryption techniques are known in the art, unfortunately, the security 
approaches can be readily compromised, because these applications and the 
security approaches are implemented on systems with an open and accessible 
architecture, that renders both hardware and software including the security 

20 approaches observable and modifiable by a malevolent user or a malicious program. 

Thus, a system based on open and accessible architecture is a 
fundamentally insecure platform, notwithstanding the employment of security 
measures. However, openness and accessibility offer a number of advantages, 
25 contributing to these systems' successes. Therefore, what is required are techniques 
that will render software execution virtually unobsen/able or unmodifiable on these 
fundamentally insecure platforms, notwithstanding their openness and accessibility. 
As will be disclosed in more detail below, the present invention of tamper resistant 
methods and apparatus achieve these and other desirable results. 

30 

SUMMARY OF THE INVENTION 

In accordance with a first aspect of the present invention, a security 
sensitive program that operates with a secret is made tamper resistant by distributing 
35 the secret in space as well as in time. The secret is partitioned into a number of 

subparts, and the security sensitive program is unrolled into a number of subprograms 
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that operate with the subparts, one subpart per subprogram. The subprograms are 
then executed over a period of time. In one embodiment, the subprograms are further 
interleaved with unrelated tasks. In one application, the security sensitive program is 
a decryption program and the secret is a private key. 

5 

In accordance with a second aspect of the present Invention, a secunty 
sensitive program Is made tamper resistant by obfuscating the program . The security 
sensitive program Is divided into a number of subprograms, and a plaintext 
appearance location schedule is selected for the subprograms. Ah appropriate 

10 mutated initial state is determined for each of the subprograms, except for the 

subprogram where the program's entry point is located. The mutated initial states are 
determined based on one or more pseudo-randomly selected patterns of mutations 
that return the program to the initial state at the end of an execution pass. During 
execution, the subprograms are recovered when they are needed, one or more but 

15 not all at a time, following the pseudo-randomly selected pattem(s) of mutations. In 
one embodiment, each pseudo-randomly selected pattern of mutations is determined 
using a predetermined partnership function in conjunction with an ordered set of 
pseudo-random keys. In one application, the security sensitive program is a 
decryption program that operates with a secret private key. The decryption program 

20 may or may not have been made tamper resistant by distributing the secret private key 
in time as well as in space. 

In accordance with a third aspect of the present inventran. a security 
sensitive appteation is made tamper resistant by isolating its security sensitive 

25 functions, and making ttie Isolated security sensitive functions tamper resistant by 
distributing the secrets of the security sensitive functions in time as well as in space, 
and/or obfuscating the security sensitive functions. In one embodiment where 
obfuscation is employed, the pseudo-randomly selected pattem(s) of mutations is 
(are) unique for each installation. In one application, the application is a content 

30 management application having a decryption function. 

In accordance with a fourth aspect of the present invention, a security 
sensitive system with security sensitive applteations is made further tamper resistant 
by providing a system integrity verification program having tamper resistant integrity 
35 verification kernels, that jointly deploy an interiocking hust mechanism with the tamper 
resistant security sensitive functions of the security sensitive applications. In one 
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application, the system is a content manipulation system, and the application is a 
content management application. 

In accordance with a fifth aspect of the present invention, a content 
Industry association. In conjunction with content manufacturers, content reader 
manufacturers, and content player manufacturers of the industry jointly implement a 
coordinated encryption/decryption scheme, with the player apparatus manufactured 
by the content player manufacturers employing playing software that include tamper 
resistant decryption functions. 

PRIPP nFRCRlPTinN OF nRAWINGg 

The present invention will be described by way of embodiments, but not 
limitations, illustrated In the accompanying drawings in which like references denote 

similar elements, and in which: 

Figure 1 is a bloci< diagram illustrating a first aspect of the present 
invention for making a security sensitive program tamper resistant by distributing the 
program's secret(s) in time and in space; 

Figure 2 is a block diagram illustrating one embodiment of the first 
aspect of the present invention including a subprogram generator for generating the 
subprograms that operate with corresponding subparts of the distributed secret(s); 

Figure 3 is a flow diagram lllustreting one embodiment of the 
operational flow of the subprogram generator of Figure 2; 

Figure 4 is a block diagram illustrating a second aspect of the present 
Invention for making a security sensitive program tamper resistant by obfuscating the 
various subparts of the security sensitive program; 

Figure 5 is a block diagram illustrating one embodiment of a subpart of 

the obfuscated program; 

Figure 6 is a block diagram Illustrating one embodiment of the second 
aspect of the present Invention Including an obfuscation processor for generating the 

obfuscated program; 

Figure 7 is a graphical diagram illustrating distribution of key period for 

the second aspect of the present invention; 

Figures 8a - 8b are flow diagrams illustrating one embodiment of the 
operational flow of the obfuscation processor of Figure 6; 
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Figure 9 is a flow diagram illustrating one embodiment of the 
operational logic of an obfuscated subprogram of the obfuscated program; 

Figures 10 - 14 are diagrams illustrating a sample application of the 
second aspect of the present invention; 
5 Figure 15 is a block diagram illustrating a third aspect of the present 

invention for making a security sensitive application tamper resistant; 

Figure 16 is a block diagram illustrating a fourth aspect of the present 
inventicm for making a security sensitive systenr^ tamper resistant; 

Figure 17 is a block diagram illustrating a fifth aspect of the present 
10 invention for making security sensitive industry tamper resistant; and 

Figures 18 - 19 are block diagrams illustrating an example computer 
system and an embedded controller suitable for programming with the various 
aspects of the present invention. 

15 nPTAH gP DESn PIPTIQN OF THE INVENTION 

In the following description, various aspects of the present invention will 
be described. However, it will be apparent to those skilled in the art that the present 
invention may be practiced with only some or all aspects of the present invention. For 
20 purposes of explanation, specific numbers, materials and configurations are set forth in 
order to provide a thorough understanding of the present invention. However, it will 
also be apparent to one skilled in the art that the present invention may be prarticed 
without the specific details, in other instances, well known features are omitted or 
simplified in order not to obscure the present invention. 

25 

Parts of the description will be presented in terms of operations performed 
by a computer system, using temns such as data, flags, bits, values, characters, strings, 
numbers and the like, consistent with the manner commonly employed by those skilled 
in the art to convey the substance of their worit to others skilled in the art. As well 

30 understood by those skilled in the art. these quantities take the fomn of electrical, 
magnetto, or optical signals capable of being stored, transfen^d, combined, and 
otherwise manipulated through mechanicai and electrical components of the computer 
system; and the terni computer system include general purpose as well as special 
purpose data processing machines, systems, and the like, that are standalone, adjunct 

35 or embedded. 
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Various operations will be described as multiple discrete steps m turn in a 
manner that is most helpful in understanding the present Invention, however, the order 
of description should not be construed as to imply that these operations are necessanly 
order dependent, in particular, the order of presentation. 

Referring now to Figure 1. a block diagram illustrating a first aspect of 
the present invention is shown. In accordance with this first aspect of the present 
invention, security sensitive program 100 Is made tamper resistant by distributing rts 
secret in space as well as in time. The secret (not shown in totality) is -partitioned 
into subparts 101. and program 100 is unrolled into a number of subprograms 102 
that operate with subparts 101; for the Illustrated embodiment, one subpart 101 per 
subprogram 102. Subprograms 102 are then executed over a period of time. As a 
result, the complete secret cannot be obsen/ed or modified in any single point in 
space nor in any single point in time. 

For example, consider the artificially simple "security sensitive" program 
for computing the result of X multiply by S. where S is the secret. Assuming S equals 
to 8. S can be divided Into 4 subparts, with each subpart equals 2. and the "security 
sensHive" program can be unrolled Into 4 subprograms with each program computing 
A = A + (X multiply by 2). Thus, the complete secret 8 can never be obsen/ed or 
modified in any point in space nor time. 

As a further example, consider the "security sensitive" program for 
computing the result of (X to the power of S) modulo Y. where S again is the secret. 
If S equals 16, S can be divided into 8 subparts, with each subpart equals 2, and the 
■security sensitive" program can be unrolled into 8 subprograms with each program 
computing A = (A multiply by ((X to the power of 2) modulo Y)) modulo Y. Thus, the 
complete secret 16 can never be obsen/ed or modified in any point in space nor time. 

As will be appreciated by those skilled in the art. the function (X to the 
power of S) modulo Y is the basis function employed In many asymmetric key 
(private/publk: key) schemes for encryption and decryption. Thus, by practicing this 
first aspect of the present Invention, an encryption/decryption function can be made 
tamper resistant. 
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in one embodiment, the subprograms are further Interleaved with 
unrelated tasks to further obscure the true nature of the tasks being performed by the 
unrolled subprograms. The tasks may even have no purpose to them. 

5 Figure 2 illustrates one embodiment of the first aspect of the present 

invention including a subprogram generator for generating the subprograms. For the 
illustrated embodiment, subprogram generator 104 is provided with the secret as 
Input. Furthermore, subprogram generator 104 is provided with access to library 105 
having entry, basis and prologue subprograms 106, 108, and 109 for used in 

10 generating subprograms 1 02 of a particular security sensitive program in view of the 
secret provided. In other words, entry and basis subprograms 106 and 108 
employed are different for different security sensitive programs. For the above 
illustrated examples, in the first case, entry and basis subprograms 106 and 108 will 
initialize and compute A = A + (X multiply by a subpart of S), whereas in the second 

15 case, entiy and basis subprograms 106 and 108 will initialize and compute A = (A 
multiply by ((X to the power of a subpart of S) modulo Y)) modulo Y. Prologue 
subprogram 109 Is used to perform post processing, e.g. outputting the computed 
results as decrypted content. 

20 For the illustrated embodiment, entry subprogram 106 is used in 

particular to initialize an appropriate runtime table 110 for looking up basis values by 
basis subprogram 108, and basis subprogram 108 is used to perfonm the basis 
computation using runtime table 110. For the rnodulo function example discussed 
above, runtime table 110 is used to retum basis values for (X to the power of a 

25 subpart of secret) modulo Y for various subpart values, and basis subprogram 108 is 
used to perfomi the basis computation of A = (A multiply by (basis value of a subpart 
of secret)) modulo Y, where A equals the accumulated intemiediate results. A s initial 
value is 1. 

30 For example, entry subprogram 106 may initialize a runtime table 110 

of size three for storing the basis values of bv1 , bv2 and bv3, where bvl , bv2 and bv3 
equal (X to the power of 1 ) modulo Y, (X to the power of 2) modulo Y, and (X to the 
power of 3) modulo Y respectively. For the modulo function (X to the power 5) modulo 
Y, subprogram generator 104 may partition the secret 5 into two subparts with 

35 subpart values 3 and 2, and generate two basis programs 108 computirtg A = (A * 
Lkup(3)) modulo Y and A = (A M-kup(2)) modulo Y respectively. 
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Figure 3 illustrates one embodiment of the operational flow of 
subprogram generator 104 of Figure 2. For the illustrated embodiment, upon 
invocation, subprogram generator 104 first generates an instance of entry 

5 subprogram 106 for Initializing at least an appropriate runtime lookup table 110 
(Ucup) for returning the basis values of a modulo function for various subparts of a 
secret and an accumulation variable (A) to an appropriate initial state, step 112. 
Subprogram generator 104 then partitions the secret into subparts, step 114. In one 
embodiment, the partition is perfomied to require the least number of basis programs. 

1 0 within the constraint of the basis values stored in mntime table 110. 

Next, subprogram generator 104 sets a subpart of the secret as the 
lookup index (LIDX), steps 116. Then, subprogram generator 104 generates the 
cun^nt basis subprogram to compute A = [A multiply by Lkup (LIDX)] modulo Y. step 
15 118. Subprogram generator 104 repeats steps 116 - 118 for all subparts, unt.1 a 
basis program has been generated for each subpart of the secret, step 120. Finally, 
subprogram generator 104 generates an instance of prologue subprogram 109 for 
performing post processing, as described earlier, step 122. 

20 Figure 4 illustrates a second aspect of the present invention. In 

accordance with this second aspect of the present invention, security sensitive 
program 203 is made tamper resistant by obfuscating the program. Security sensitive 
program 203 is divided and processed into a number of obfuscated subprograms 
204. A plaintext (i.e. unmutated) appearance location schedule (i.e. where in 
25 memory) is selected for obfuscated subprograms 204. For the illustrated 

embodiment, the plaintext appearance location schedule is fomiulated in terms of the 
memory cells 202 of two memory segments, memory segment 201a and memory 
segment 201b. Initially, except for the obfuscated subprogram 204 where the 
program's entry poim is located, all other obfuscated subprograms 204 are stored in 

30 mutated states. Obfuscated subprograms 204 are recovered or made to appear in 
plaintext form at the desired memory cells 202, one or more at a time, when they are 
needed for execution, and mutated again, once executions are completed. As will be 
described in more detail below, the Initial mutated states, and the process of recovery 
are detemiined or perfonned, in accordance with one or more pseudo-randomly 

35 selected pattern of mutations. The pseudo-randomly selected pattem(s) of mutations 
is (are) detemiined using a predetennined mutation partnership function in 
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conjunction with one or more ordered sets of pseudo-random keys. As a resuH. 
obfuscated subprograms 204 cyclically mutate back to their respective initial states 
after each execution pass. Actually, obfuscated subprograms 204 implementing the 
same loop also cyclically mutate back to the loop entry states after each pass through 
5 the loop. 

For the illustrated embodiment, each obfuscated subprogram 204 and 
each cell 202 are of the same size, and first memory segment 201a is located in high 
memory, whereas second memory segment 201b is located in low memory. 
10 Furthermore, there are even number of obfuscated subprograms 204. employing 
dummy subprogram if necessary. 

Rgure 5 illustrated one embodiment of subprogram 204. In 
accordance with the present Invention, for the Illustrated embodiment, in addition to 

15 original subprogram 102. obfuscated subprogram 204 is provided with mutation 
partner identification function 206. mutation function 207. partner key 208 and jump 
bkxjk 209. Original subprogram 102 perfomis a portion of the functions perfonned 
by program 200. Original subprogram 102 may be an entry/basis/prologue 
subprogram 106/108/109 in accordance with the first aspect of the present 

20 invention. Mutation partner identification function 206 is used to identify the partner 
memory cells 202 for all memory cell 202 at each mutation round. In one 
embodiment, the partner identification function 206 Is the functton: Partner Cell ID = 
Cell ID XOR Pseudo-Random Key. For a pseudo-random key, mutation partner 
Wentiffcatfon function 206 will Wentify a memory cell 202 in the second memory 

25 segment 201b as the partner memory cell for of a memory cell 202 in the first 

memory segment 201a, and vice versa. Only ordered sets of pseudo-random keys 
that will provide the required periods for the program and its loops will be employed. 
The length of a period is a function of the pseudo-random keys' set size (also refen-ed 
to as key length). Mutation function 207 is used to mutate the content of the various 
30 memory cells 202. In one embodiment, mutatton function 207 XORs the content of 
each memory cell 202 in first memory segment 201a into the partner memory cell 
202 In second memory segment 201b in an odd mutation round, and XORS the 
content of each memory cell 202 in second memory segment 201b into the partner 
memory cell 202 in first memory segment 201a in an even mutation round. Partner 
35 key 208 is the pseudo-random key to be used by mutation partner identification 
function 206 to identify mutation partners of the various memory cells 202 for a 
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mutation round. Jump block 209 transfers execution control to the next obfuscated 
subprogram 204, which at the time of transfer, has been recovered into plaintext 
through the pseudo-random pattern of mutations. 

In one embodiment, an obfuscated subprogram 204 may also include 
other functions being performed for other purposes or simply unrelated functions 
being perfonned to further obscure the subpart functions being perfom^d. 

Figure 6 illustrates one embodiment of the second aspect of the 
present invention including an obfuscation processor for processing and transforming 
subprograms into obfuscated subprograms. For the illustrated embodiment, 
obfuscation processor 214 is provided with program 200 as Inputs. Furthemtore. 
obfuscation processor 214 Is provided with access to pseudo-random keys* key 
length lookup table 212. mutation partner identification function 206. and mutation 
function 207. For the illustrated embodiment, obfuscation processor 214 also uses 
two woridng matrices 213 during generation of obfuscated program 203. 

Key length lookup table 212 provides obfuscation processor 214 with 
key lengths that provide the required periods by the program and its loops. Key 
lengths that will provide the required periods is a function of the mutation technique 
and the partnership function. Figure 7 illustrates various key lengths that will provide 
various periods for the first and second memory segment mutation technique and the 
partnership function described above. 

Referring back to Figure 6. mutation partner identification function 206 
identifies a mutatton partner memory cell 202 for each memory cell 202. In one 
embodiment, mutation partner identification function 206 identifies mutation partner 
memoiy cells in accordance with the "XOR" mutation partner identification function 
described eariier. Mutation function 207 mutates all memory cells 202. In one 
embodiment, mutation function 207 mutates memory cells 202 in accordance with 
the two memory segments, odd and even round technique described eariier. 

For the illustrated enribodiment, working matrices 213 include two 
matrices Ml and M2. Woriting matrix Ml stores the Boolean functions of the current 
state of the various memory cells 202 in terms of the initial values of memory cells 
202. Woridng matrix M2 stores the Boolean functions for recovering the plaintext of 
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the various obfuscated subprograms 204 in terms of the initial values of memory cells 
202. 

Referring now to Rgures 8a - 8b. two block diagrams illustrating one 
5 embodiment of obfuscation processor 214 are shown. For the illustrated 

embodiment, as shown In Rg. 8a in response to a program input (in object fomn). 

obfuscation processor 214 analyzes the program, step 216. In particular. 

obfuscation processor 214 analyzes branch flow of the program, identifying loops 

within the program, using conventional compiler optimization techniques known in the 
10 ait. For the purpose of this application, any execuHon control transfer, such as a call 

and subsequent return, is also considered a "loop". 

Next, obfuscation processor 214 may perform an optional step of 
peephole randomization, step 218. During this step, a peephole randomization pass 
15 over the program and replaces code patterns with random equivalent patterns chosen 
from an optional dictionary of such patterns. Whether it is performed depends on 
whether the machine architecture of the instructions provide altemate ways of 
accomplishing the same task. 

20 Then, obfuscation processor 214 restructures and partitions the 

program 200 into a number of equal size subprograms 204 organized by their loop 
levels, padding the subprograms 204 if necessary, based on the analysis results, 
step 220. Except for very simple program with a single execution path, virtually all 
programs 200 will require some amount of restmcturing. Restructuring includes e.g. 

25 removing as well as adding branches, and replicating instructions in different loop 
levels. Restructuring is also performed using conventional compiler optimization 
techniques. 

Finally, obfuscation processor 214 determines the subprograms' 
30 plaintext appearance location schedule, and the initial state values for the various 
memory cells 202. step 221. 

Fig. 8b Illustrates step 221 in further detail. As shown, obfuscation 
processor 214 first initializes first working matrix M1 . step 222. Then, obfuscation 
35 processor 214 selects a memory cell for the program's entry subprogram to appear in 
plaintext, step 223. In one embodiment, the memory cell 202 is arbitrarily selected 
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(within the proper memory segment 201a^\201b). Once selected, obfuscation 
processor 214 updates the second working matrix M2, step 224. 

Next obfuscation processor 214 selects an appropriate key length 
5 based on the procedure's period requirement, accessing key length table 212. step 
226 Obfuscation processor 214 then generates an ordered set of pseudo-random 
keys based on the selected key length, step 228. For example, if key length equals 5 
is selected among the key lengths that will provide a required penod of 30. 
obLtcln processor 214 may random^ select 17. 18. 20. 24 and 16 as the ordered 
10 pseudo-random keys. 

Next obfuscation processor 214 detemrtines the partner memory cells 
202 for all memory cells 202 using the predetemilned mutation partner identification 
function 206 and the next key in the selected set of ordered pseudo-random keys. 
15 step 230. Upon making the determination, obfuscation processor 214 simulates a 
mutation, and updates f^l to reflect the results of the mutation, step 232. 

Once mutated, obfuscation processor 214 selects a memory cell for the 
next subprogram 204 to appear in plaintext, step 234. Having done so. obfuscation 

20 processor 214 updates M2. and mciementaliy invert M2 using the Guassian Method, 
step 235 In one embodiment, instead of incremental inverston. obfuscation 
processor 214 may just verify M2 remains invertable instead. If M2 Is not invertable. 
obfuscation processor 214 cancels the memory cell selection, and restores M2 to its 
prior state, step 237. Obfuscation processor 214 repeats steps 234 - 236 to select 

25 another memory cell 202. Eventually, obfuscation processor 214 becomes 
successful. 

Once succeeded, obfuscation processor 214 detemnines if there was a 
loop level change, step 238. If there was a loop level change, obfuscation processor 

30 214 further detemiines if the loop level change is down level or up level change, i.e. 
the subprogram is an entry subprogram of a new loop level or a return point of a 
higher loop level, step 239. If the loop level change is "down", obfuscation processor 
214 selects another appropriate key length based on the new loop's period 
requirement, accessing key length table 212, step 241. Obfuscation processor 214 

35 then generates a new ordered set of pseudo-random keys based on the newly 

selected key length, step 242. The newly generated ordered set of pseudo-random 
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keys becomes the "top" set of pseudo-random keys. On the other hand, if the loop 
level change Id "up", obfuscation processor 214 restores an immediately "kswer' set 
of pseudo random keys to be the top" set of pseudo-random keys, step 240. 

5 Upon properly organizing the "top" set of pseudo-random keys or upon 

determining there's no loop level change, obfuscation processor 214 again 
determines the partner memory cells 202 for all memory cells 202 using the 
predetermined mutation partner identification function 206 and the next key in the 
-top" set of ordered pseudo-random keys, step 243. Upon making the detennination. 

10 obfuscation processor 21 4 simulates a mutation, and updates Ml to reflect the results 
of the mutation, step 244. 

Once mutated, obfuscation processor 214 detemnines if there are more 
subprograms 204 to process, step 245. If there are more subprograms 204 to 

15 process, obfuscatton processor 214 returns to step 234 and proceeds as described 
eariier. Othenwise, obfuscation processor 214 inserts the mutation partner 
identification function 206, the partner key to be used to identify mutation partner 
memory cells, the mutation function, the jump block, and the address of the next 
subprogram 204 into each of the obfuscated subprograms 204, step 246. Finally. 

20 obfuscation processor 214 computes the Initial values of the various obfuscated 
subprograms 204, and outputs them, steps 247 - 248. 

Figure 9 illustrates one embodiment of the operational flow of an 
obfuscated subprogram 204. For the illustrated embodiment, obfuscated subprogram 

25 204 first executes the functions of the original subprogram, step 250. For 

embodiments including additional and/or unrelated functions, they may be executed 
also. Then obfuscated subprogram 204 executes mutation partner identification 
function 206 to identify the mutation memory cell partners for all memory cells 202 
using the stored partner key. step 252. Having Identified the mutation partners. 

30 obfuscated subprogram 204 executes mutation function 207 to mutate the merrr^y 
cells based on the identified partnership. 



35 



Next, depending on whether obfuscated subprogram 204 is the last 
subprogram in an execution pass, obfuscated subprogram 204 either jumps to the 
next obfuscated subprogram (which should be in plaintext) or returns to the "caller". 
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Note that if obfuscated subprogram 204 returns to the "caller", all other obfuscated 
subprograms 204 are in their respective Initial states. 

Figures 10 - 14 illustrate a sanrtple application of this second aspect of 
5 the present invention. Figure 10 illustrates a sample security sensitive program 200 
having six subprograms SPGMO - SPGfy/15 implementing a simple single level logic, 
for ease of explanation, with contrived plaintext values of "000". "001 •010". "01 
•100- and "111'. Thus, the required period is 6. For ease of explanation, a keylength 
of one will be used, and the pseudo-random key selected is 3. Furthemiore. the 
10 mutation partnership identification function is simply Partner Cell ID = Cell ID + 3. i.e. 
cell 0 always pairs with cell 3. cell 1 pairs with cell 4. and cell 2 pairs with cell 5. 

Figure 10 further illustrates at invocation (mutation 0). memory cells (cO 
- c5) contains initial values (ivO - iv5). as reflected by Ml . Assuming, cell cO Is chosen 

15 for SPGMO. M2 is updated to reflect that the Boolean function for recovering the 
plaintext of SPGMO is simply ivO. Figure 10 further illustrates the values stored in 
memory cells (cO - c5) after the first mutation. Note that for the illustrated mutation 
technique, only the content of the memory cells (c3 - c5) have changed. M1 is 
updated to reflect the current state. Assuming, cell c3 is chosen for SPGM1 . M2 is 

20 updated to reflect that the Boolean function tor recovering the plaintext of SP6M1 is 
simply ivO XOR Iv3. Note that for convenience of manipulation, the columns of M2 
have been swapped. 

Figure 11 illustrates the values stored in memory cells (cO - c5) after 
25 the second, third and fourth mutations. As shown, the content of half of the memory 
cells (CO - c5) changed altematingly after each mutation. In each case. Ml is updated 
to reflect the current state. Assuming, cells c1, c4 and c2 are chosen for SPGM2. 
SPGM3 and SPGM4 respectively after the second, third and fourth mutations 
respectively, in each case M2 is updated to reflect that the Boolean functions for 
30 recovering the plaintexts of SPGM2. SPGM3 and SPGM4. i.e. iv4, ivi , and iv2 XOR 
iv5. 

Figure 12 Illustrates the values stored in memory cells (cO - c5) after 
the fifth mutation. As shown, the content of memory cells (c3 - c5) changed as in 
35 previous odd rounds of mutation. Ml is updated to reflect the cun-ent state. 
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Assuming, cell c5 is chosen for SPGM5, M2 is updated to reflect that the Boolean 
function for recovering the plaintext of SPGM5 is iv5. 

Figure 13 Illustrates how the initial values ivO - iv5 are calculated from 
5 the inverse of f^. since M2 x ivs = SPGI^s. Ivs = M2-1 x SPGMs. Note that a "1" in 
M2^^ denotes the corresponding SPGM is selected, whereas a "0" in M2-1 denotes 
the corresponding SPGM is not selected, for computing the initial values (ivO - iv5). 

Figure 14 illustrates the content of the memory cells of the above 
10 example during execution. Note that at any point In time, at most only two of the 

subprograms are obsen/able in their plaintext fomis. Note that the pairing of mutation 
partners is fixed only because of the single pseudo-random key and the simple 
mutation partner function employed, for ease of explanation. Note also that with 
another mutation, the content of the memory cells are bacl< to their initial states. In 
15 other words, after eadi execution pass, the subprograms are in their initial states, 
ready for another invocation. 

As will be appreciated by those skilled in the art, the above example is 
unreallstically simple for the purpose of explanation. The plaintext of a subprogram 
20 contains many more "0" and "1 " bits, making it virtually impossible to distinguish 

memory cell storing an obfuscated subprogram in a mutated state from a memory cell 
storing an obfuscated subprogram in plaintext fonm. Thus, it is virtually impossible to 
infer the plaintext appearance location schedule from observing the mutations during 
execution. 

25 

Figure 15 illustrates a third aspect of the present invention. In 
accordance with this aspect of the present invention, security sensitive application 
300 may be made tamper resistant by isolating its security sensitive functions 302 
and making them tamper proof by incorporating the first and/or second aspects of the 
30 present invention described above. 

In employing the above described second aspect of the present 
invention, different sets of pseudo-random keys will produce a different pattern of 
mutations, even with the same mutation partner identification function. Thus, copies of 
35 the security sensitive application installed on different systems may be made unique 
by employing a different pattem of mutations through different sets of pseudo-random 
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keys Thus, the security sensitive appii Jons installed in different systems are further 
resistant from class attack, even if the obfuscation scheme is understood from 
observation on one system. 

Figure 16 illustrates a fourth aspect of the present invention. In 
accordance with this aspect of the present invention, a security sensitive system 400 
may be made tamper resistant by making its security sensitive applications 400a and 
400b tamper resistant in accordance with the first, second and/or third aspects of the 
present invention described above. Furthemiore. security of system 400 may be 
further strengthened by providing system integrity verification program (SIVP) 404 
having a number of integrity verification kernels (IVKs). For the illustrated 
embodiment, a first and a second level IVK 406a and 406b. First level IVK 406a 
has a published external interface for other tamper resistant security sensitive 
functions (SSFs) 402a - 402b of the security sensitive applications 400a - 400b to 
call Both IVKs are made tamper resistant in accordance with the first and the second 
aspects of the present invention described eariier. Together, the tamper resistant 
SSFs 402a - 402b and IVKs 406a - 406b implement an interiocking trust 
mechanism. 

In accordance with the interlocking tmst mechanism, for the illustrated 
embodiment, tamper resistant SSF1 and SSF2 402a - 402b are responsible for the 
integrity of security sensitive applications 400a - 400b respectively. IVK1 and IVK2 
406a - 406b are responsible for the integrity of SIVP 404. Upon verifying the 
integrity of security sensitive application 400a or 400b it is responsible for, 
SSF1/SSF2 402a - 402b will call IVK1 406a. In response, IVK1 406a will verify 
the integrity of SIVP 404. Upon successfully doing so. IVK1 406a calls IVK2 406b. 
whfch in response, will also verify the integrity of SIVP 404. 

Thus, In order to tamper wtth security sensitive application 400a, SSF1 
402a, IVK1 406a and IVK2 406b must be tamper with at the same time. However, 
because IVK1 and IVK2 406a - 406b are also used by SSF2 and any other SSFs 
on the system, all other SSFs must be tamper with at the same time. 

Figure 17 illustrates a fifth aspect of the present invention. In 
accordance with this aspect of the present invention, content industry association 
500, content manufacturers 502, content reader manufacturers 510 and content 
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player manufacturer 506 may jointly implement a coordinated encryption/decryption 
scheme, with content players 508 manufactured by content player manufacturers 
506 employing playing software that include content decryption function made 
tamper resistant in accordance with the above described various aspects of the 
5 present Invention. 

Content industry association SOD owns and holds secret private 
encryption key Kciapri. Content industry association 500 encrypts content 
manufacturer's secret content encryption key Kc and content player manufacturer's 
10 public encfVPtion Kppub for the respective manufacturers 502 and 506 using Kciapn. 
i.e. Kciapri(Kcl and Kciapri[Kppubl. 

Content manufacturer 502 encrypts its content product Kclctnt] and 
includes with the content product KciaprilKc]. Content reader nrianufacturer 510 
15 includes with Its content reader product 512 the public key of content industry 
association Kciapub. whereas content player manufacturer 506 includes wrth its 
content player product 508 content player manufacturer's secret private play key 
Kppri. content industry association's public key Kciapub. and the encrypted content 
player public key Kciapri[Kppub]. 

20 

During operation, content reader product 512 reads encrypted content 
Kctctntl and the encrypted content encryption key Kciapri[Kcl. Content reader product 
512 decrypts Kc using Kciapub. Concunently. content player product 508 recovers 
its publfc key Kppub by decrypting KciaprilKppub] using content industry association s 

25 public key Kciapub. Content reader product 512 and content player product 508 are 
also in communication with each other. Upon recovering its own public key, content 
player product 508 provides it to content reader product 512. Content reader product 
512 uses the provided player public key Kppub to encrypt the recovered content 
encryption key Kc, generating KppublKc], which is retumed to content player product 

30 508. In response, content player product 608 recovers content encrypt key Kc by 
decrypting Kppub[Kcl using its own private key Kppri. 

Thus, as content reader product 512 reads encrypted content Kc[ctnt], 
and fonvards them to content player product 508. content player product 508 
35 decrypts them with the recovered Kc, generating the unencrypted content (ctnt). In 
accordance with the above described aspects of the present invention, the decryption 
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functions for recovering ttie content playeJs^manufacturer's public key. and 
recovering the content encryption key Kc are made tamper resistant. 

As will be appreciated by those skilled in the art. in addition to being 
n^ade tamper resistant, by virtue of the interiocking trust, tampering with the content 
^ayer product's decryption functions will require tampering of the content industry 
association, content manufacturer and content reader manufacturer's 
enc^on/decryption functions, thus making it virtually impossible to compromise the 
various encryption/decryption functions' integnty. 

AS will be also appreciated by those skilled In the art. a manufacturer 
n,av play more than one role in the above described tamper resistant industry secunty 
ZTJ,e.,. manufacturing both the content reader and the content player products, 
as separate or combined products. 

Figure 18 illustrates a sample computer system suitable to be 
programmed with security sensitive programs/applications with or without SIVP. 
including industry wise security mechanism, made tamper resistant in accordance 
with the first, second, third, fourth and/or fifth aspect of the present invention. Sample 
20 computer system 600 includes CPU 602 and cache memoiy 604 coupled to eac* 
other through processor bus 605. Sample computer system 600 also includes h^h 
perfomiance I/O bus 608 and standard I/O bus 618. Processor bus 605 and high 
perfomiance I/O bus 608 are bridged by host bridge 606. whereas high performance 
I/O bus 608 and standard I/O bus 618 are bridged by bus bridge 610. Coupled to 
25 high performance I/O bus 608 are main memory 612, and video memory 614. 
Coupled to video memory 614 is video display 616. Coupled to standard I/O bus 
618 are mass storage 620. and keyboard and pointing devices 622. 

These elements perform their conventional functions. In particular, mass 
30 storage 620 is used to provide pemianent storage for the executable instmctions of 
the various tamper resistant programs/applications, whereas main memory 612 is 
used to temporarily store the executable instmctions tamper resistant 
programs/applications during execution by CPU 602. 

35 Figure 19 illustrates a sample embedded controller suitable to be 

programmed with security sensitive programs for a security sensitive apparatus, made 
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tamper resistant in accordance with the first, second, third, fourth and/or fifth aspect of 
the present invention. Sample embedded system 700 includes CPU 702. main 
memory 704, ROM 706 and I/O controller 708 coupled to each other through system 
bus 710. These elements also peitorm their conventional functions. In particular, 
5 ROM 706 may be used to provide permanoit and execute-in-place storage for the 
executable instructions of the various tamper resistant programs, whereas main 
memory 704 may used to provide temporary storage for various working data during 
execution of the executable Instructions of the tamper resistant programs by CPU 
702. 

10 

Thus, various tamper resistant methods and apparatus have been 
described. While the methods and apparatus of the present invention have been 
described In ternis of the above illustrated embodiments, those skiHed in the art will 
recognize that the invention is not limited to the embodiments described. The present 
IS invention can be practiced with modification and alteration within the spirit and scope 
of the appended claims. The description Is thus to be regarded as illustrative instead 
of restrictive on the present invention. 
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QLAIMS 

What is claimed is: 



1. An apparatus comprising: 

an execution unit for executing programming instructions; and 
a storage medium coupled to the execution unit, having stored therein a 
plurality of programming instmction blocks to be executed by the execution un.t dunng 
operation, the programming instruction blocks operating on con-esponding subparts of 
a secret distributed among them, and the execution being distributed over a penod of 
tinrte. 

2. The apparatus as set forth in claim 1 . wherein the programming instmction 
blocks jointly implement a decryption function, and the secret is a private key. 

3. The apparatus as set forth In claim 1 . wherein one or more of the programming 
instruction blocks further perfomi one or more unrelated tasks to further obscure the 
operations on the subparts of the secret. 

4. A machine implemented method for executing a program that operates on a 
secret in a tamper resistant manner, the method comprises the steps of: 

a) executing a first unrolled subprogram of the program at a first point a time, 
with the first unrolled subprogram operating on a first subpart of the secret; and 

b) executing a second unrolled subprogram of the program at a second point a 
time, with the second unrolled subprogram operating on a second subpart of the 
secret. 

5. The method as set forth in claim 3, wherein the first and second unrolled 
subprograms are unrolled subprograms of a decryption function; and the secret is a 
private key. 

6. The method as set forth in claim 3, wherein 

step (a) further includes the first unrolled subprogram perfonning at least a first 
unrelated task; and 

step (b) further includes the second unrolled subprogram perfomiing at least a 
second unrelated task; 
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said at least a first and a second unrelated task are performed to further 
obscure the first and second unrolled subprograms' operation on the first and second 
subparts of the secret. 

5 7. An apparatus comprising: 

an execution unit for executing programming instnjctions; and 
a storage medium having stored therein a plurality of programming instructions 
to be executed by the execution unit during operation, wherein when executed. In 
response to a secret being provided, the programming instructions partition the secret 
10 into a plurality of subparts, and generate a plurality of programming instruction blocks 
that operate on the subparts. 

8. The apparatus as set forth in claim 7. wherein the apparatus further includes a 
library having an entiy programming instruction btock, and a basis programming 

15 instmction block, to be accessed by the programming instructions In generating the 
programming instructk>n blocks. 

9. • The apparatus as set forth in claim 7, wherein during execution, 

the entry programming instruction block initializes a table of values for use by 
20 the basis programming blocks to operate on their corresponding subparts of the 
secret; and 

the basis programming blocks' operations on their conresponding subparts of 
the secret, include looking up values initialized in the table using the basis 
programming btocks' corresponding subparts of the secret. 

25 

10. A machine implemented method for generating a tamper resistant program to 
operate on a secret, the method comprising the steps of: 

a) receiving the secret; 

b) partitioning the secret into a plurality of subparts; and 

30 c) generating a plurality of subprograms to con-espondingly operate on the 

subparts of the secret. 



35 



11. The method as set forth in claim 10, wherein step (c) includes accessing a 
library having an entry subprogram, and a basis subprogram to generate the 
subprograms. 
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1 2 The method as set forth In claim 1 1 . wherein dunng execution. 

the entry subprogram Initializes a table of values for use by the basis 
subprograms to operate on their corresponding subparts of the secret: and 

the basis subprograms' operations on their corresponding subparts of the 
secret, include looking up values Initialized In the table using the basis subprograms' 
corresponding subparts of the secret. 

13. An apparatus comprising: 

an execution unit for executing programming instructions; and 
a storage medium having stored thereon a plurality of programming instruction 
blocks to be executed by the execution unit, the programming instnjction blocks being 
stored in a mutated iom, except for at least one. vrtiich is stored in a plaintext fomn. 
wherein the mutated programming instmction blocks are recovered Into the plaintext 
form during execution on an as needed basis, one or more but not ail at a time. 

14. The apparatus as set forth in claim 13. wherein each programming instruction 
block includes a first programming instruction sub-block for perfonning a task, a 
second programming instruction sub-block for computing mutation partners for a 
plurality of memory cells, a key to be employed in said computation of mutation 
partners, a third programming instruction sub-block for mutating memory cells in 
accordance with the computed mutation partnering, and a fourth programming 
instmction sub-block for transferring execution control to another programming 
instructkin block. 

1 5. The apparatus as set forth in claim 14, wherein the first programming 
Instmction sub-block operates on a subpart of a secret. 

16. The apparatus as set forth in claim 14. wherein the second programming 
instmction sub-block computes the mutation partnering by performing a logical XOR 
operation on a memory cell's identifier and the key. 

1 7. The apparatus as set forth in claim 14. wherein the key is a member of an 
ordered set of pseudo-randomly selected members, the ordered set having a set size 
that will provide a required period for a pattern of memory cell mutations, with the 
memory cells being partnered for mutatton in accordance with the computed mutation 
partnering using the key. 
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18. The apparatus as set forth in claim 1 4. wherein the memory cells are divided 
into two memory cells groups, and pair-wise partnered by the second programming 
instruction sub-block, with the partnered memory cells being in different group; and 
5 the third programming instruction sub^jlock performs a logical XOR operation on the 
contents of each pair of partnered memory cells, and alternating between the two 
memory cell groups for odd and even mutation rounds, in storing the results of the 
logical XOR operations 

10 19. A machine implemented method for executing a program, the method 
comprising: 

a) executing a first of a plurality of subprograms generated to obfuscate the 
program; 

b) computing mutation partnere for a plurality of memory cells storing the 
15 plurality of subprograms, using a key. the subprograms being stored initially in the 

memory cells in a mutated fonm. except for at least one. whtoh is stored initially in a 
plaintext form; 

c) mutating the memory cells in accordance with the computed mutation 
partnering to recover a second of the plurality of subprograms for execution. 



20 



20. The method as set forth in claim 19. wherein the first and second subprograms 
operate on a first and a second subpart of a secret. 



21 . The method as set forth in claim 19. wherein step (b) comprises perfomiing a 
25 logwal XOR operation on a memory cell's identifier and the key for each memory cell. 

22. The method as set forth in claim 19, wherein the key Is a member of an ordered 
set of pseudo-randomly selected members, the ordered set having a set size that will 
provide a required period for a pattern of memory cell mutations, with the memory 

30 cells being partnered for mutation in accordance with the computed mutation 
partnering using the key. 

23. The method as set forth in claim 19, wherein step (c) comprises perfonning 
logical XOR operations on the contents of memory cells of a first memory cell group 

35 and the contents of memory cells of a second memory cell group, and storing the 

results of the logical XOR operations into the first memory cell group if step (c) is being 
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performed for an odd number of times, and the second memory cell group if step (c) is 
being performed for an even number of times. 

The method as set forth in claim 19. wherein the method further comprises the 



24 



steps of: 

d) executing the second of the plurality of subprograms; 

e) computing mutation partners for the plurality of memoiy cells; and 

f) mutating the memory cells in accordance with the computed mutation 
partnering to mutate the first of the plurality of subprograms, and recover a third of the 
plurality of subprograms for execution. 

25. An apparatus comprising: 

an execution unit for executing programming instructions: and 
a storage medium having stored therein a first plurality of programming 
instructions to be executed by the execution unit, wherein when executed, in 
response to a program Input, the first plurality of programming instmctions generate a 
plurality of subprograms for the program to obfuscate the program, the subprograms 
being generated in a mutated form, except for at least one, which is generated in a 
plaintext form, the subprograms being further generated with logic to recover the 
subprograms in plaintext form on an as needed basis, one or more but not all at a 
time. 

26. The apparatus as set forth In claim 25, wherein the storage medium further 
having stored therein a table of keylengths to be accessed by the first plurality of 
programming instructions in generating the subprograms, the keylengths denoting 
sizes of ordered sets of pseudo-randomly selected members that will provide various 
required mutation periods. 

27. The apparatus as set forth In claim 25, wherein the storage medium further 
having stored therein a second plurality of programming instructions to be 
Incorporated Into each of the generated subprograms by the first plurality of 
programming Instructions for Identifying mutation partners for a plurality of memory 
cells storing the subprograms, for a mutation round, using a key. the key being a 
member of an ordered set of pseudo-randomly selected members that will provide a 
mutation period required by the generated subprograms. 
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28. The apparatus as set forth in claim 25. wherein the storage mediunn further 
having stored therein a second plurality of programming instmctlons to be 
Incorporated into each of the generated subprograms by the first plurality of 
programming instnictlons for mutating memory cells storing the generated 
5 subprograms in accordance with computed mutation partnerings for a mutation round. 

20. The apparatus as set forth in claim 25, wherein the first plurality of 
programming instmctions Include logic for analyzing the program for branch flow. 

10 30. The apparatus as set forth in claim 25, wherein the first plurality of 

programming instmctions include logic for performing peephole randomization on the 
program. 

31 . The apparatus as set forth in claim 25. wherein the first plurality of 

15 programming instmctions include restmcturing and partitioning the program into the 
subprograms. 

32. The apparatus as set forth in claim 25, wherein the first plurality of 
programming instmctions include logic for scheduling memory cells for the generated 

20 subprograms to be recovered in the plaintext fomi, and detemiining the appropriate 
initial values for the memory cells. 

33. The apparatus as set forth in claim 32, wherein the first plurality of 
programming instructions Include logic for detemnining a mutation period requirement 

25 for the program, a keylength for the required mutation period, the keylength denoting 
a set's set size, the set being an ordered set of pseudo-randomly selected members 
that will provide the required mutation period. 

34. The apparatus as set forth in claim 32, wherein tiie first plurality of 

30 programming instructions include logic for selecting a memory cell for a generated 
subprogram to be recovered in the plaintext form, and detemiining a Boolean function 
for recovering the generated subprogram in the plaintext forni in terms of initial state 
values of the memory cells used for storing the generated subprograms. 

35 35. The apparatus as set forth in claim 32, wherein the first plurality of 

programming Instmctions include logic for determining mutation partners for a 
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plurality of memory cells storing the generated subprograms, using a key of an 
ordered set of pseudo-randomly selected keys, simulating memory cell mutafons .n 
accordance witti the detemiined mutation partnering, and detemiining a plurality of 
Boolean functions for the memory cetts. the Boolean functions expressing the post 
mutation states of the memory cells in terns of the memory cells' initial values. 

36 A machine implemented method for generating a plurality of subprograms for a 
program to obfuscate the program, the method comprising the steps: 

a) analyzing the program for branch flow; 

b) restructuring and partitioning the program into a plurality of subprograms; 

^"'^ c) detemiining a schedule In temis of a plurality of memory cells for recovering 
the subprograms In a plaintext fomi for execution, and initial state values for the 
memory cells to store the subprograms in the memory cells in a mutated iom, except 
for at least, which is stored in one of the memory cells in tiie plaintext fomn. 

37. The machine as set forth in claim 36. wherein step (a) further Includes 
performing peephole randomization on the program. 

38 The method as set forth In claim 36, wherein step (c) includes determining a 
mutation period requirement for the program, a keylength for the required mutation 
period, the keylength denoting a sefs set size, the set being an ordered set of 
pseudo-randomly selected members that will provide the required mutation penod. 

39. The method as set forth in claim 36. wherein step (c) includes selecting a 
memoiy cell for a generated subprogram to be recovered in the plaintext fomi. and 
detennining a Boolean function for recovering tiie generated subprogram in the 
plaintext iom in terms of initial state values of the memory cells used for storing the 
generated subprograms. 

40 The method as set forth in claim 36. wherein step (c) includes determining 
mutation partners for a plurality of memory cells storing the generated subprograms, 
using a key of an ordered set of pseudo-randomly selected keys, simulating memory 
cell mutations in accordance with the detennined mutation partnering, and 
determining a plurality of Boolean functions for the memory cells, the Boolean 
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functions expressing the post mutation states of the memory cells in temns of the 
memory cells' initial values. 

41 . The method as set forth in claim 36, wherein the method further includes step 
5 (d) inserting a function and a key Into each of the generated subprograms, the 

function being used for identifying mutation partners for a plurality of memory cells 
storing the subprograms, for a mutation round, using the key, the key being a member 
of an ordered set of pseudo-randomly selected members that will provide a mutation 
period required by the generated subprograms. 

10 

42. The method as set forth in claim 36. wherein the method further includes step 
(d) inserting a function into each of the generated subprograms for mutating memory 
cells storing the generated subprograms in accordance with computed mutation 
partnerings for a mutation round. 

15 

43. An apparatus comprising: 

an execution unit for executing programming instaictions; 
a storage medium having stored therein a first and a second plurality of 
programming instructions to be executed by the execution unit, the first and second 

20 plurality of programming instructions implementing an application with the first ^ 

plurality of programming instructions implementing a security sensitive function of the 
application and the second plurality of programming instmctions implementing a non- 
security sensitive function of the application, the first plurality of programming 
instructions having incorporated a first defensive technique of distributing a secret in 

25 space and in time and/or a second defensive technique of obfuscation to render the 
first plurality of programming instructions virtually unobservable and unmodifiable 
during execution. 

44. The apparatus as set forth in claim 43, wherein the first plurality of 
30 programming instructions incorporated the second defensive technique of 

obfuscation, including one or more unique ordered sets of pseudo-randomiy selected 
members for generating one or more patterns of memory cell mutations, rendering the 
application unique from other copies of the application installed on other apparatus. 

35 45. An apparatus comprising: 

an execution unit for executing programming instructions; 
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a storage medium having stored therein a first, a second, a third, and a fourth, 
plurality of programming instructions to be executed by the execution unit, the first and 
second plurality of programming instructions Implementing a first and a second 
Integrity verification function for a first and a second application respectively, whereas 

5 the third and fourth programming Instructions Implementing a third and a fourth 
integrity verification function for a system Integrity verification program, all four 
pluralities of programming Instmctlons having Incorporated defensive techniques 
rendering them tamper resistant, the four pluralities of programming Instructions jointly 
implementing an interiocking trust mechanism, requiring the first and the second 

10 pluralities of programming instoictlons each to cooperate with both the third and fourth 
pluralities of programming Instmctions to complete any integrity verification on the 
apparatus. 

46. A machine implemented method for verifying Integrity on an apparatus, the 
15 method comprising the steps of: 

a) a first and a second tamper resistant Integrity verification function of a first 
and a second application of the apparatus Individually calling a third tamper resistant 
integrity verification function of a system integrity verification program to jointly perfonn 
integrity verification with the first and second tamper resistant integrity verification 

20 functions respectively; 

b) In response, the third tamper resistant integrity verification function calling a 
fourth tamper resistant Integrity verification function of the system integrity verification 
program to jointly perform the requested integrity verifications; 

c) the fourth tamper resistant integrity verification function providing the first and 
25 the second tamper resistant integrity verification functions with respective results of 

the requested integrity verifications. 

47. An apparatus comprising: 

an execution unit for executing programming instructions; 
30 a storage medium having stored therein a first and a second plurality of 

programming Instmctions to be executed by the execution unit, and a first secret 
private key, the first and second pluralities of programming Instmctions Implementing 
a first and a second tamper resistant decryption function, 

the first tamper resistant decryption function being used for recovering a 
35 first public key asymmetric to the first secret private key, using a second public 
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key. the first public key having been previously encrypted using a second 
secret private key asymmetric to the second public key. 

the second tamper resistant decryption functton being used for 
recovering a content encryption key using the first secret private key. the 
content encryptton key having been previously enc^rpted using the first publw 



key. 



48 The apparatus as set forth In claim 47. wherein the storage medium further 
having stored therein a third plurality of programming instructions to be executed by 
10 the execution unit, the third plurality of programming instructions implementing a third 
decryption function for recovering content using the recovered content er^cryption key. 
the content having been previously encrypted using the content encryption key. 

49. A machine implemented method for iBCOvering content, the method comprising 
15 the ste^ ^ p^yj^ l^^y ^,3ing a g^cond public key. the fiist and second 

public keys having a first and a second asymmetric private key respectively, the first 
public key having been previously encrypted by the second private key: 

b) providing the recovered first public key to be used for encrypting a content 

20 encryption key; 

c) receiving the enciypted content encryption key; and 

d) recovering the content encryption key using the first private key. 



25 50. The method as set forth in claim 47. wherein the method further comprises 
steps of: 

e) receiving encrypted content; and 

f) recovering content using the recovered content encryption key. 
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